Bug 394202 - ssl_GetPrivate can corrupt non-SSL private structures NSS_3_11_BRANCH
authornelson%bolyard.com
Sat, 01 Sep 2007 04:26:21 +0000
branchNSS_3_11_BRANCH
changeset 8032 e9f2153b564219ea2bcccc7440c3bcab5539d04c
parent 8028 4c6a4dd49d39621cccd3cbeed62caac2dc4d4337
child 8033 4c6081f2345b54c029431c3f3ff058c4a4c757d8
push idunknown
push userunknown
push dateunknown
bugs394202
Bug 394202 - ssl_GetPrivate can corrupt non-SSL private structures r=julien,wtc
security/nss/lib/ssl/sslsock.c
--- a/security/nss/lib/ssl/sslsock.c
+++ b/security/nss/lib/ssl/sslsock.c
@@ -207,21 +207,32 @@ static sslSocket *
 ssl_GetPrivate(PRFileDesc *fd)
 {
     sslSocket *ss;
 
     PORT_Assert(fd != NULL);
     PORT_Assert(fd->methods->file_type == PR_DESC_LAYERED);
     PORT_Assert(fd->identity == ssl_layer_id);
 
+    if (fd->methods->file_type != PR_DESC_LAYERED ||
+        fd->identity != ssl_layer_id) {
+	PORT_SetError(PR_BAD_DESCRIPTOR_ERROR);
+	return NULL;
+    }
+
     ss = (sslSocket *)fd->secret;
     ss->fd = fd;
     return ss;
 }
 
+/* This function tries to find the SSL layer in the stack. 
+ * It searches for the first SSL layer at or below the argument fd,
+ * and failing that, it searches for the nearest SSL layer above the 
+ * argument fd.  It returns the private sslSocket from the found layer.
+ */
 sslSocket *
 ssl_FindSocket(PRFileDesc *fd)
 {
     PRFileDesc *layer;
     sslSocket *ss;
 
     PORT_Assert(fd != NULL);
     PORT_Assert(ssl_layer_id != 0);